A CVE (tracking number) was recently issues for a long standing DNS re-binding exploit (and with a CVE, the security plugins now toot it).
It has a very low priority, since it relies on someone hijacking your server’s DNS resolver, you can find some details, and responses, at https://portswigger.net/daily-swig/six-year-old-blind-ssrf-vulnerability-in-wordpress-core-feature-could-enable-ddos-attacks
@jmcmahan15 No vulnerability should be completely ignored, but to be clear exploiting this vulnerability in any practical sense would be near impossible.
First to do so would require chaining together multiple other _hypothetical_ vulnerabilities in other systems. Namely whatever DNS server your site is using to look up remote addresses.
Even then all this does is allow someone to send a request to another server (ie. DDOS on another server). This isn’t the kind of vulnerability that would grant someone access to your WordPress site.
Finally, actually DDOS’ing another server would require exploiting this same vulnerability across 1000s of WP instances. 1000s of WP installs which were susceptible to the same CHAIN of vulnerabilities, and as yet that chain of vulnerabilities isn’t known.
A proof of concept will come out eventually, but I suspect it’ll presume someone has compromised other systems (namely your local DNS resolution) which again seems extremely unlikely.
You’re extremely paranoid, simply disable Pingbacks and Trackbacks (which is generally a good idea anyway, or at least a very common configuration step).
https://www.wpbeginner.com/wp-tutorials/how-to-disable-trackbacks-and-pings-on-existing-wordpress-posts/